Search in ISMS Guides

Enter your search termsSubmit search form

Web

isms-guide.blogspot.com

Saturday, July 28, 2007

Quantitative Risk Analysis

The difference between quantitative and qualitative RA is fairly simple: Quantitative RAattempts to assign independently objective numeric values (hard dollars, for example)to the components of the risk assessment and to the assessment of potential losses.Qualitative RA addresses more intangible values of a data loss, and focuses on theother issues, rather than the pure hard costs.When all elements (asset value, impact, threat frequency, safeguard effectiveness,safeguard costs, uncertainty, and probability) are measured, rated, and assignedvalues, the process is considered to be fully quantitative. However, fully quantitative riskanalysis is not possible because qualitative measures must be applied. Thus, thereader should be aware that just because the figures look hard on paper does not meanit is possible to foretell the future with any certainty.A quantitative risk analysis process is a major project, and as such it requires a projector program manager to manage the main elements of the analysis. A major part of theinitial planning for the quantitative RA is the estimation of the time required to performthe analysis. In addition, a detailed process plan must also be created, and roles mustbe assigned to the RA team.Preliminary Security Examination (PSE). A PSE is often conducted before the actualquantitative RA. The PSE helps to gather the elements that will be needed when theactual RA takes place. A PSE also helps to focus an RA. Elements that are definedduring this phase include asset costs and values, a listing of various threats to anorganization (in terms of threats to both the personnel and the environment), anddocumentation of the existing security measures. The PSE is normally then subject to areview by an organization’s management before the RA begins.Automated Risk Analysis ProductsThere are several good automated risk analysis products on the market. The mainobjectives of these products is to minimize the manual effort that must be expended tocreate the risk analysis and to provide a company with the ability to forecast itsexpected losses quickly with different input variations. The creation of a databaseduring an initial automated process enables the operator to rerun the analysis usingdifferent parameters—to create a what if scenario. These products enable the users toperform calculations quickly in order to estimate future expected losses, therebydetermining the benefit of their implemented safeguards.